多媒體網路安全實驗室 An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards 作者:JongHyup LEE 出處:2011 Elsevier Journal of Network and Computer Applications 報告人:陳鈺惠 日期:2013/12/04 多媒體網路安全實驗室 Outline 1 Introduction 2 Overview of Sood et al.’s scheme 3 4 Proposed scheme 4 3 Protocol analysis 5 4 Conclusion 2 多媒體網路安全實驗室 1.Introduction(1/1) With the rapid development of the Internet and electronic commerce technology, many services are provided through the Internet such as online shopping, online game. This paper propose an efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards to tackle these problems. 3 多媒體網路安全實驗室 2.Overview of Sood et al.’s scheme Ui Sk CS IDi Pi SIDk yi x b CIDi SK Ni1 The ith user The kth service providing server The control server The identity of the user Ui The password of the user Ui The identity of the server Sk The random number chosen by CS for user Ui The master secret key maintained by CS A random number chosen by the user for registration The dynamic identity generated by the user Ui for authentication A session key shared among the user, the service providing server and the CS A random number generated by the user Ui's smart card Ni2 A random number generated by the server Sk for the user Ui Ni3 A random number generated by the CS for the user Ui h(·) A one-way hash function Exclusive-OR operation Message concatenation operation ⊕ ∥ 4 多媒體網路安全實驗室 2.Overview of Sood et al.’s scheme (1/8) Registration phase Ui Sk CS Ai=h(IDi||b) Bi=h(b⊕Pi) Ai 、 Bi (Fi、Gi、h(·)) Fi= Ai⊕yi Gi=Bi⊕h(yi)⊕h(x) Ci=Ai⊕h(yi)⊕x Stores (Ci、yi⊕x) Smart card Di=b⊕h(IDi||Pi) Ei=h(IDi||Pi)⊕Pi Smart card(Di、Ei、Fi、Gi、h(·)) (SIDk、SKk) Stores(SIDk、SKk⊕h(x||SIDk)) 5 多媒體網路安全實驗室 2.Overview of Sood et al.’s scheme (2/8) Login phase Ui Sk IDi* Pi* Smart card Ei*=h(IDi*||Pi*)⊕Pi* Ei*=Ei? b=Di⊕h(IDi||Pi),Ai=h(IDi||b) Bi=h(b⊕Pi),yi=Fi⊕Ai h(x)=Gi⊕Bi⊕h(yi),Zi=h2(x)⊕Ni1 CIDi=Ai⊕h(yi)⊕h(x)⊕Ni1 Mi=h(h(x)||yi||SIDk||Ni1) (SIDk、Zi、CIDi、Mi) 6 CS 多媒體網路安全實驗室 2.Overview of Sood et al.’s scheme (3/8) Authentication and session key agreement phase Ui Sk CS Ri=Ni2⊕SKk (SIDk、Zi、CIDi、Mi、Ri) Ni1=Zi⊕h2(x),Ni2=Ri⊕SKk Ci*=CIDi⊕Ni1⊕h(x)⊕x Ci*=Ci?,extracts yi Mi*=h(h(x)||yi||SIDk||Ni1) Mi*=Mi? Ki=Ni1⊕Ni3⊕h(SKk||Ni2) Xi=h(IDi||yi||Ni1)⊕h(Ni1⊕Ni2⊕Ni3) Vi=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)] Ti=Ni2⊕Ni3⊕h(yi||IDi||h(x)||Ni1) (Ki、Xi、Vi、Ti) 7 多媒體網路安全實驗室 2.Overview of Sood et al.’s scheme (4/8) Authentication and session key agreement phase Ui Sk Ni1⊕Ni3=Ki⊕h(SKk||Ni2) h(IDi||yi||Ni1)=Xi⊕h(Ni1⊕Ni2⊕Ni3) Vi*=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)] Vi*=Vi? (Vi、Ti) Ni2⊕Ni3 Ti⊕h(yi||IDi||h(x)||Ni1) Vi*=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)] Vi*=Vi? SK=h(h(IDi||yi||Ni1)||(Ni1⊕Ni2⊕Ni3)) 8 CS 多媒體網路安全實驗室 2.Overview of Sood et al.’s scheme (5/8) Leak-of-verifier attack User have(Dk、Ek、Fk、Gk、h(·)) 、IDk、 Pk User can compute bk=Dk⊕h(IDk||Pk) Ak=h(IDk||b) yk=Fk⊕Ak Bk=h(b⊕Pk) h(x)=Gk⊕Bk⊕h(yk) Get yk、h(x) If client leaked yi⊕x、Ci=Ai⊕h(yi)⊕x Uk get x、h(x)、yi⊕x from yk then get yi、Ai and h(x) Uk login 9 多媒體網路安全實驗室 2.Overview of Sood et al.’s scheme (6/8) Leak-of-verifier attack Uk get random number Ni′1 Compute CID′i=Ai⊕h(yi)⊕h(x)⊕Ni′1 M′i=h(h(x)||yi||SIDj||Ni′1) Z′i=h2(x)⊕Ni′1 Uk submits the login request message (SIDj、Z′i、CID′i、M′i) to Sj Sj get random number Ni′2 Compute Ri=Ni2⊕SKj submits to CS Compute Ni1=Z′i⊕h2(x)、Ni2=Ri⊕SKj C*i=CID′i⊕Ni′1⊕h(x)⊕x=Ai⊕h(yi)⊕x=Ci CS compute Mi*=h(h(x)||yi||SIDj||Ni′1)=M′i Uk get yi⊕x、Ci=Ai⊕h(yi)⊕x 10 多媒體網路安全實驗室 2.Overview of Sood et al.’s scheme (7/8) Stolen smart card attack If (SIDj、Zi、CIDi、Mi) was eavesdropped and previously valid login Uk compute Ni1=Z′i⊕h2(x) Ai⊕h(yi)=CIDi⊕Ni1⊕h(x) Uk extract (Di、Ei、Fi、Gi、h(·)) Compute bi⊕Pi =Di⊕Ei h(bi⊕Pi)=Bi h(yi)=Gi⊕Bi⊕h(x) Compute Ai⊕h(yi)⊕(Ai⊕h(yi)) Get yi=Fi⊕Ai Uk get h(x)、yi 11 多媒體網路安全實驗室 2.Overview of Sood et al.’s scheme (8/8) Incorrect authentication and session key agreement phase In registration phase,Ui submits Ai、Bi rather than true identity IDi to CS。 But in step4 Xi=h(IDi||yi||Ni1)⊕h(Ni⊕Ni2⊕Ni3) Vi=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)] Ti=Ni2⊕Ni3⊕h(yi||IDi||h(x)||Ni1) 12 多媒體網路安全實驗室 Ui Sj CS IDi Pi SIDk yi x b CIDi SK Ni1 The ith user The service providing server The control server The identity of the user Ui The password of the user Ui The identity of the server Sk The random number chosen by CS for user Ui The master secret key maintained by CS A random number chosen by the user for registration The dynamic identity generated by the user Ui for authentication A session key shared among the user, the service providing server and the CS A random number generated by the user Ui's smart card Ni2 A random number generated by the server Sk for the user Ui Ni3 A random number generated by the CS for the user Ui h(·) A one-way hash function Exclusive-OR operation Message concatenation operation ⊕ ∥ 13 多媒體網路安全實驗室 3.Proposed scheme(1/4) Registration phase Ui Sj CS Chooses IDi、Pi、b Ai=h(b||Pi) (IDi、Ai) Bi=h(ID||x),Ci=h(IDi||h(y)||Ai) Di=Bi⊕h(IDi||Ai),Ei=Bi⊕h(y||x) (Ci、Di、Ei、h(·)、h(y)) Smart card Ui enter b to smart card smart card stores (Ci、Di、Ei、h(·)、h(y)、b) 14 多媒體網路安全實驗室 3.Proposed scheme(2/4) Login phase Ui Sj Inputs IDi、Pi smart card computes Ai=h(b||Pi),Ci′=(IDi||h(y)||Ai) Ci′=Ci? Smart card generates Ni1 Bi=Di⊕h(IDi||Ai),Fi=h(y)⊕Ni1 Pij=Ei⊕h(h(y)||Ni1||SIDj) CIDi=Ai⊕h(Bi||Fi||Ni1) Gi=h(Bi||Ai||Ni1) (Fi、Gi、Pij、CIDi) 15 CS 多媒體網路安全實驗室 3.Proposed scheme(3/4) Authentication and session key agreement phase Ui Sj CS Sj chooses Ni2 Ki=h(SIDj||y)⊕Ni2 Mi=h(h(x||y)||Ni2)) (Fi、Gi、Pij、CIDi、SIDj、Ki、Mi) Ni2=Ki⊕h(SIDj||y) Mi′=h(h(x||y)||Ni2),Mi′=Mi? Ni1=Fi⊕h(y) Bi=Pij⊕h(h(y)||Ni1||SIDj)⊕h(y||x) Ai=CIDi⊕h(Bi||Fi||Ni1) Gi′=h(Bi||Ai||Ni1),Gi′=Gi? CS generates Ni3 Qi=Ni1⊕Ni3⊕h(SIDj||Ni2) Ri=h(Ai||Bi)⊕h(Ni1⊕Ni2⊕Ni3) Vi=h(h(Ai||Bi)||h(Ni1⊕Ni2⊕Ni3)) Ti=Ni2⊕Ni3⊕h(Ai||Bi||Ni1) 16 多媒體網路安全實驗室 3.Proposed scheme(4/4) Authentication and session key agreement phase Ui Sj CS (Qi 、Ri 、Vi 、Ti) Ni1⊕Ni3=Qi⊕h(SIDj||Ni2) h(Ai||Bi)=Ri⊕h(Ni1⊕Ni3⊕Ni2) Vi′=h(h(Ai||Bi)||h(Ni1⊕Ni3⊕Ni2) Vi′=Vi? (Vi、Ti) Ni2⊕Ni3=Ti⊕h(Ai||Bi||Ni1) Vi′=h(h(Ai||Bi)||h(Ni2⊕Ni3⊕Ni1)) Vi′=Vi? SK=h(h(Ai||Bi)||(Ni1⊕Ni2⊕Ni3)) 17 多媒體網路安全實驗室 4.Protocol analysis 18 多媒體網路安全實驗室 5.Conclusion This paper can satisfy all the essential requirements for multi-server architecture authentication. Compared with Sood et al.'s (2011) protocol and other related protocols, our proposed protocol keeps the efficiency and is more secure. Therefore, our protocol is more suitable for the practical applications. 19 多媒體網路安全實驗室
© Copyright 2024 Paperzz